OWASP Top 10 2021 mitigation options on Google Cloud

Last reviewed 2021-12-12 UTC

This document helps you identify Google Cloud products and mitigation strategies that can help you defend against common application-level attacks that are outlined in OWASP Top 10. OWASP Top 10 is a list by the Open Web Application Security (OWASP) Foundation of the top 10 security risks that every application owner should be aware of. Although no security product can guarantee full protection against these risks, applying these products and services when they make sense in your architecture can contribute to a strong multi-layer security solution.

Google infrastructure is designed to help you build, deploy, and operate services in a secure way. Physical and operational security, data encryption at rest and in transit, and many other important facets of a secure infrastructure are managed by Google. You inherit these benefits by deploying your applications to Google Cloud, but you might need to take additional measures to protect your application against specific attacks.

The mitigation strategies listed in this document are sorted by application security risk and Google Cloud product. Many products play a role in creating a defense-in-depth strategy against web security risks. This document provides information about how other products can mitigate OWASP Top 10 risks, but it provides additional detail about how Google Cloud Armor and Apigee can mitigate a wide range of those risks. Google Cloud Armor, acting as a web application firewall (WAF), and Apigee, acting as an API gateway, can be especially helpful in blocking different kinds of attacks. These products are in the traffic path from the internet and can block external traffic before it reaches your applications in Google Cloud.

Product overviews

The Google Cloud products listed in the following table can help defend against the top 10 security risks:

Product Summary A01 A02 A03 A04 A05 A06 A07 A08 A09 A10
Access Transparency Expand visibility and control over your cloud provider with admin access logs and approval controls
Artifact Registry Centrally stores artifacts and build dependencies
Apigee Design, secure, and scale application programming interfaces
Binary Authorization Ensure only trusted container images are deployed on Google Kubernetes Engine
Chronicle Automatically find threats in real time and at scale using Google's infrastructure, detection techniques, and signals
Cloud Asset Inventory View, monitor, and analyze all your Google Cloud and Google Distributed Cloud Virtual or multi-cloud assets across projects and services
Cloud Build Build, test, and deploy in Google Cloud
Sensitive Data Protection Discover, classify, and protect your most sensitive data
Cloud Load Balancing Control which ciphers your SSL proxy or HTTPS load balancer negotiates
Cloud Logging Real-time log management and analysis at scale
Cloud Monitoring Collect and analyze metrics, events, and metadata from Google Cloud services and a wide variety of applications and third-party services
Cloud Source Repositories Store, manage, and track code in a single place for your team
Container Threat Detection Continuously monitor the state of container images, evaluate all changes, and monitor remote access attempts to detect runtime attacks in near-real time
Event Threat Detection Monitor your organization's Cloud Logging stream and detect threats in near-real time
Forseti Inventory Collect and store snapshots of your architecture
Forseti Scanner Scan inventory data according to custom-defined policies and alert on unexpected deviations
Google Cloud Armor A web application firewall (WAF) deployed at the edge of Google's network to help defend against common attack vectors
Google Cloud security bulletins The latest security bulletins related to Google Cloud products
Identity-Aware Proxy (IAP) Use identity and context to guard access to your applications and VMs
Identity Platform Add identity and access management functionality to applications, protect user accounts, and scale identity management
Cloud Key Management Service Manage encryption keys on Google Cloud
reCAPTCHA Enterprise Help protect your website from fraudulent activity, spam, and abuse
Secret Manager Store API keys, passwords, certificates, and other sensitive data
Security Command Center Centralized visibility for security analytics and threat intelligence to surface vulnerabilities in your applications
Security Health Analytics (SHA) Generate vulnerability findings that are available in Security Command Center
Titan Security Keys Help protect high-value users with phishing-resistant 2FA devices that are built with a hardware chip (with firmware engineered by Google) to verify the integrity of the key
Virtual Private Cloud firewalls Allow or deny connections to or from your virtual machine (VM) instances
VPC Service Controls Isolate resources of multi-tenant Google Cloud services to mitigate data exfiltration risks
VirusTotal Analyze suspicious files and URLs to detect types of malware; automatically share them with the security community
Web Security Scanner Generate vulnerability finding types that are available in Security Command Center

A01: Broken access control

Broken access control refers to access controls that are only partially enforced on the client side, or weakly implemented. Mitigating these controls often requires a rewrite on the application side to properly enforce that resources are accessed only by authorized users.

Apigee

Use case:

  • Access control enforcement
  • Limit data manipulation

Apigee supports a layered approach to implement access controls to keep the bad actors from making unauthorized changes or accessing the system.

Configure role-based access control (RBAC) to only allow users access to the functionality and configuration that they need. Create encrypted key value maps to store sensitive key-value pairs, which appear masked in the Edge UI and in management API calls. Configure single sign-on with your company's identity provider.

Configure developer portals to show specific API products according to user role. Configure the portal to show or hide content based on user role.

Cloud Asset Inventory

Use case:

  • Monitor for unauthorized IT (also known as "shadow IT")
  • Outdated compute instances

One of the most common vectors for data exposure is orphaned or unauthorized IT infrastructure. Set up real-time notifications to alert you for unexpected running resources, which might be improperly secured or using outdated software.

Cloud Load Balancing

Use case:

  • Fine-grained SSL and TLS cipher control

Prevent the use of weak SSL or TLS ciphers by assigning a predefined group or custom list of ciphers that Cloud Load Balancing can use.

Forseti Scanner

Use case:

  • Access control configuration monitoring

Systematically monitor your Google Cloud resources with the goal of ensuring access controls are set as you intended. Create rule-based policies to codify your security stance. If the configuration unexpectedly changes, Forseti Scanner notifies you so that you can automatically revert to a known state.

Google Cloud Armor

Use case:

  • Filter cross-origin requests
  • Filter local or remote file inclusion attacks
  • Filter HTTP parameter pollution attacks

Many cases of broken access control cannot be mitigated by using a web application firewall, because applications don't require or don't properly check access tokens for every request, and data can be manipulated client side. Multiple Juice Shop challenges related to broken access control. For example, posting feedback in another user's name uses the fact that some requests are not authenticated server side. As you can see in the challenge solution, the exploit for this vulnerability is completely client-side and can therefore not be mitigated using Google Cloud Armor.

Some challenges can be partially mitigated server side if the application cannot be immediately patched.

For example, if cross-site request forgery (CSRF) attacks are possible because your web server implements cross-origin resource sharing (CORS) poorly, as demonstrated in the CSRF Juice Shop challenge, you can mitigate this issue by blocking requests from unexpected origins altogether with a custom rule. The following rule matches all requests with origins other than example.com and google.com:

has(request.headers['origin']) &&
!((request.headers['origin'] == 'https://example.com')||
(request.headers['origin'] == 'https://google.com') )

When traffic that matches such a rule is denied, the solution for the CSRF challenge stops working.

The basket manipulation challenge uses HTTP parameter pollution (HPP) so that you can see how to attack the shop by following the challenge solution. HPP is detected as part of the protocol attack rule set. To help block this kind of attack, use the following rule: evaluatePreconfiguredExpr('protocolattack-stable').

Identity-Aware Proxy and Context-Aware Access

Use case:

  • Centralized access control
  • Works with cloud and on-premises
  • Protects HTTP and TCP connections
  • Context-Aware Access

IAP lets you use identity and cont